Mark Graff, Chief Cyber Security Officer at Lawrence Livermore National Laboratory, tells us what to expect from future viruses and other Internet security threats.
Event on 8/28/03 in Livermore.
MICHAEL MALONEY / The Chronicle

Photo: MICHAEL MALONEY

Mark Graff, Chief Cyber Security Officer at Lawrence Livermore...

Image 2 of 2

-

Photo: MICHAEL MALONEY

-

Many more worms will wriggle into our future / Security expert foresees no end to bugs hitting computer networks

Now that most businesses have recovered from the Blaster and SoBig worms, and the FBI has arrested one of the alleged virus writers, the computer world is settling back to normalcy.

Until the next hacker decides to whip up a little Internet mayhem. Then the whole dispiriting process of computer shut-downs and emergency alerts will begin again. And next time, it will probably be worse.

That's the vision of the Net through the eyes of security guru Mark Graff, chief cyber-security officer at Lawrence Livermore National Laboratory and author of a number of security books. Graff, who looks a little like a mountain man and talks like a liberal arts professor, says that the virus situation will get much, much worse before it gets better.

"There's no reason to believe that the recent East Coast power outage had anything to do with a worm, but that sort of event is exactly what we might experience some years down the road if we don't protect our infrastructure better," Graff said.

The problem won't get better in the near future because the software industry -- and the Internet -- aren't set up to reward companies for writing programs without security holes that worms can wriggle into, Graff said.

It may take a disaster much greater than a power outage to get software companies to buckle down and write bullet-proof software, he said.

"People are willing to put up with the ramifications of inadequate computer secu rity for a long time unless it affects their everyday lives. . . . I have such a vivid imagination I'd rather not speculate" on what kind of tragedy would finally provoke the world to end the virus war, he said.

There are forces fighting viruses now. Microsoft has pledged to improve the security of its products, which are the target of most widespread attacks. The FBI, the Secret Service, and regional U.S. attorneys' offices have developed well-trained teams for high-tech law enforcement who bring virus writers and other malicious hackers to justice. And a whole industry of antivirus software has flourished.

But other experts agree with Graff that none of these efforts can stem the tide until the economics change.

"People haven't demanded strong security," said Nate Lawson, senior security engineer at San Francisco consulting firm Cryptography Research. "A single company hasn't lost a billion dollars because of a virus. They haven't lost their next-generation product designs. (Instead, losses are) spread out among a lot of people."

Graff, 52, started working at Lawrence Livermore in January, after a career that included eight years at Sun Microsystems and six years as an independent security consultant. Now he drives from his home in the mountains of unincorporated San Mateo County to Livermore to protect the scientists at the national laboratory from everything from international espionage to the same worms that threatened the average computer user last month.

The job is worth the drive, which he makes only about three times a week.

"We have a bunch of world-class scientists trying to get things done who really don't want to be diverted by worrying about computer security," he said.

Graff is comfortable working in the former military barracks at the labs, behind two checkpoints and two locked doors. He got his start maintaining computers in the Air Force in the 1970s, and he's naturally security-minded. In fact, while he will disclose that he is married with children, he prefers not to reveal how many kids he has, for their safety.

He does a lot of deep thinking about the future of the Internet and security, following the latest research from laboratories at universities and corporations. He's also well-read in less scientific fields and peppers his predictions about the Net with references to social scientists and historic events.

He bases his prediction that it will take a tragedy to propel the Net into a higher level of security in part on historical examples of how tragedies have helped spur media technology. For example, he says, one of the seminal events of television was the unsuccessful struggle to rescue 3-year-old Kathy Fiscus from a well in 1949. In telling the story, Graff spells the child's name from memory.

Fiscus fell into an abandoned well in San Marino (Los Angeles County), and the efforts to save her became the world's first televised breaking news story.

Unfortunately, by the time rescue workers reached her two days later, Fiscus was dead.

Until the cataclysm that causes a sea-change for Internet security, Graff expects a continuation of the current arms race between softwaremakers, virus writers and security companies.

"The attacks are going to come faster and faster, closer together. . . . Eventually, as far as we're concerned, it will be one constant attack."

Networks will have to respond to virus attacks without waiting for human interaction. For example, virus experts at Cupertino's Symantec and other security firms now quickly examine new viruses and write "definitions" of them,

which are then sent out to customers' networks.

"IBM has done a lot of research on self-healing networks," he said. "We have to look at the network as an immune system that can defend itself with intelligent agents -- software that can react and is highly mobile inside the network, that can go to the trouble spot just like white blood cells are transported to a wound spot by the bloodstream."

All the while, each virus attack will have higher stakes as computers become even more ubiquitous than they already are.

"The Internet will be almost everywhere -- it will be built into our materials," he said, noting that everything from building temperature control systems to high-end refrigerators are already online.

Someday tiny computers will be sent inside the human body to do surgery and send data back to medical devices using the wireless Web, he said, describing a prediction by inventor and futurist Ray Kurzweil.

"When those things become possible, we're going to be insisting on a level of reliability that's much greater than we have today," Graff said.